Back in 2009, ISO Guide 73 defined 'risk treatment' as follows:

Note that 'retaining the risk by informed decision' was noted as one of seven risk treatment options at that time.

Guide 73 defined 'risk acceptance' and 'risk retention' separately.

There are problems with both definitions e.g.

• We literally just read that risk retention involves 'informed decision', so does that mean both risk acceptance and risk retention are based on 'informed decisions', in other words deliberate, intentional decisions? This may or may not be a direct linguistic conflict, but it is certainly confusing.

• If risk acceptance requires 'informed decision', doesn't that preclude it from occurring 'without risk treatment'? Isn't the very decision a form of treatment?

• If accepted risks are to be monitored and reviewed (presumably through a defined process, although unstated), why not also monitor and review retained risks? Are they really so different?

• The definition of risk retention twice refers to [risk] acceptance, tying these terms and definitions together and suggesting that risk acceptance is the more fundamental term, despite risk retention rather than risk acceptance being identified as part of risk treatment.

• What about risks that are not even recognised or identified as such, or are wrongly characterised, analysed, evaluated and treated: are they also accepted or retained? They certainly exist and may bite us on the bum.

Despite the problems, both definitions still turn up from time to time, sometimes slightly modified (e.g. ISO/IEC 27005:2022 added 'temporary' to risk retention, for some reason I can't recall) ... but I'm not convinced of the distinction.

Seems to me, risks that are accepted are retained. They cannot be retained without also being accepted. So risk acceptance and risk retention are synonymous ... but I decided to dig deeper, asking Google Gemini for advice:

Being an awkward, argumentative, nit-picking sod, I don't entirely accept or agree with Gemini's analysis either e.g.:

• The 'nature' row suggests that risk acceptance alone requires 'a deliberate informed decision' whereas risk treatment can be a risk treatment option (presumably following an informed decision) "or lack thereof", suggesting that risks can be retained passively/by default (through inaction or ignorance).

• The 'timing' row indicates that risk acceptance takes place during the risk analysis and treatment part of the risk management process, whereas risk retention is described as a subsequent outcome.

• The 'action' row is gibberish.

• The 'relationship' row is intriguing. It acknowledges that risk acceptance "is often a form of, or leads to, risk retention" which, to me, makes them virtually synonymous. However, it says risk retention may not be the result of "a formal acceptance decision" and can be an "implicit outcome" ... which I agree with, but our interpretation is at odds with with the ISO Guide 73 definition of risk treatment.

• The 'context' row expresses essentially the same thing in two ways, again indicating that these terms are synonymous.

In practice, I believe risk acceptance is the more common and fundamental term, so the Cybersecurity Hyperglossary defines it, while the risk retention entry says "See risk acceptance" (with a link to its definition) and quotes the definition from ISO/IEC 27005. It isn't appropriate to elaborate on the nuances in the hyperglossary but here in the blog I can wax lyrical ... and invite comments. Am I right or wrong? What am I missing or minsunderstanding? What's your position on this? What about non-ISO definitions of these terms: any help?

Over to you, friends. Comments welcome.

-------------------------------------------------------------

Thanks to comments on LinkeDin, I have drafted this amended, working, plain-English definition:

... with hyperlinks from keywords in that definition to 3 further defined terms:

• Risk - defined as 'chance of something not going as expected' ... plus about 200 words of explanation, plus 200 more of quoted-and-cited formal definitions - this being a core term-of-art;

• Risk acceptance - 'decision to live with rather than mitigate, share or avoid risk' plus about 100 words of plain English + 100 words of formal definitions; and

• Residual risk - 'left-over risk that remains despite any and all risk treatments applied'.

To complicate matters further, the definition of 'residual risk' is longer than most with 13 linked keywords and 3 synonyms: 'retained risk', 'net risk' and 'controlled risk', and 6 formal definitions. I am now checking them for consistency with changes rippling through the Cybersecurity Hyperglossary. Maybe those 4 terms are not truly synonymous - in particular, 'controlled risk' feels different, somehow.